SAP audit log can have high volumes. For that reason most companies use file system to write the audit log.
If you have a SIEM (Security Information and Event Management) solution (like SAP enterprise treat detection, Onapsis, SecurityBridge and many more) that needs to scan your audit log, the best way is to store the audit log data in the database. This ensures that the audit log can be analyzed at high performance.
The unfortunate side of storing in the database means that the audit log table can grow quite fast, which is expensive especially if you run on HANA.
To counter the high costs, you can unload the data from the database into archive files for SAP audit log. This means that your most recent data is in the database for fast analysis, and your history is on cheaper disc storage.
This blog will explain how to archive production order data via object BC_SAL. Generic technical setup must have been executed already, and is explained in this blog.
If you still have files, you must first move the files to database table, before you can archive them. See OSS note 3055825 – RSAU_LOAD_FILES for transferring audit log data to the SAL database.
Object BC_SAL
Go to transaction SARA and select object BC_SAL.
Dependency schedule is empty, so there are no dependencies:
Main table that is archived:
- RSAU_BUF_DATA SAL (Temporary Event Log) (is the only table in ECC 6.0 and older netweaver systems)
- RSAU_LOG (newer systems); see also OSS note 2191612 – FAQ | Use of Security Audit Log as of SAP NetWeaver 7.50 and 3592196 – BC_SAL DB15 table RSAU_LOG missing
Technical programs and OSS notes
Write program: RSAU_ARCHIVE_WRITE
Delete program: RSAU_ARCHIVE_DELETE
Read from archive: RSAU_ARCHIVE_READ
Reload from archive: RSAU_ARCHIVE_RELOAD (handle with care, can always lead to inconsistencies and issues), see OSS note 3094328 – RSAU_ARCHIVE_RELOAD | Reloading Security Audit Log archives
Relevant OSS notes:
- 3163819 – RSAU_ARCHIVE_READ | Archive Information Structure support for RSAU_LOG
- 3323638 – Performance optimization for RSAU_ARCHIVE_DELETE
- 3353529 – Enhancement of archive management for Security Audit Log
- 3439136 – Audit Log Archive and Delete: Program RSAU_ARCHIVE_WRITE failed with short dump TSV_TNEW_PAGE_ALLOC_FAILED
- 3499903 – RSAU_ARCHIVE_READ | Selection criteria do not work
- 3567644 – Deletion data object is shown when reading job by report RSAU_ARCHIVE_READ
- 3587392 – SAL | Client-specific archiving for audit log
- 3617376 – DBSQL_SQL_INTERNAL_DB_ERROR dump occurs when archiving SAL from database
- 3628892 – RSAU_ARCHIVE_READ | Read data from archive files based on database table RSAU_LOG not possible
- 3635386 – RSAU_ARCHIVE_WRITE | Job Log without meaningful error message or progress status
- 3658799 – View archive audit log
Application specific customizing
For archiving object BC_SAL there is no application specific customizing needed.
Executing the write run and delete run
A high level description of the run is given in OSS 3137004 – How to archive and delete audit log from DB.
In transaction SARA, BC_SAL select the write run:
Select your data, save the variant and start the archiving write run.
After the write run is done, check the logs. BC_SAL archiving has high speed, and high percentage of archiving (normal is 100%).
Proved a good name for the archive file for later use!
Deletion run is standard by selecting the archive file and starting the deletion run.
Data retrieval
Data retrieval is via program RSAU_ARCHIVE_READ, or SARA and select the read button:
After pressing execute, you will get a popup screen to select the archive files. Output is a simple ALV list with the audit log event details.